OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: marcelmah on August 13, 2021, 03:38:18 pm

Title: Sensei and Wireguard clients
Post by: marcelmah on August 13, 2021, 03:38:18 pm
Hi,

I'm using Sensei (premium home edition) to protect my daughters from certain sites.
I also want them protected when they use their tablets on someone else's WiFi.
So I created WireGuard profiles for all devices.

WireGuard works fine, but no filtering happens...

I'm running OPNsense 21.1.9_1-amd64.

I read that It wasen't possible at first, but this was months ago and SV was funding netmap to get is to work.
I can and I have selected my wg0 interface as one of the protected interfaces.

Can this work now? If not, is it being developed? can we track progress? if It's possible, what am I doing wrong?
Title: Re: Sensei and Wireguard clients
Post by: beki on August 13, 2021, 05:21:00 pm
Hi marcelmah,

Can you try with tcpdump when Sensei is active? If there is no packet with tcpdump as well, then take the bypass Sensei Packet Engine (Status - Services - Packet Engine - Enter Bypass Mode) and run tcpdump again.

tcpdump -s0 -ni wg0 -vvv

Title: Re: Sensei and Wireguard clients
Post by: marcelmah on August 16, 2021, 12:18:14 am
Hi marcelmah,

Can you try with tcpdump when Sensei is active? If there is no packet with tcpdump as well, then take the bypass Sensei Packet Engine (Status - Services - Packet Engine - Enter Bypass Mode) and run tcpdump again.

tcpdump -s0 -ni wg0 -vvv
Hi, when I enter this command on my OPNsense shell it shows a lot of traffic.
No filtering happens tho..., when I'm connected on my LAN I can no longer visit the sites I've blocked.
Title: Re: Sensei and Wireguard clients
Post by: athurdent on August 16, 2021, 06:23:53 am
Are you using a custom policy to filter, or the default one? In case of a custom policy, it might be necessary to add the wg0 interface there.
Title: Re: Sensei and Wireguard clients
Post by: marcelmah on August 16, 2021, 10:35:49 am
Are you using a custom policy to filter, or the default one? In case of a custom policy, it might be necessary to add the wg0 interface there.
When I did the test I disabled the custom policy, so only the default one was active.
I disconnected my phone from WireGuard, disabled WiFi and enabled hotspot
I used my laptop to test the blocked site (was blocked).
I then disconnected from my WiFi and connected to my mobile hotspot
I could now browse the blocked website (this is as expected).
I then connected to one of my daughters WireGuard profiles, but was still able to browse to the websites that should have been blocked, the profile was working as I had my fixed line WAN IP address and I could browse local LAN devices.